CVE-2021-38387 – This vulnerability in Contiki 3.0's Telnet serv... (How to Fix)

Q: What is the severity of CVE-2021-38387?

CVE-2021-38387 has a CVSS score of 7.5 (HIGH). This vulnerability in Contiki 3.0's Telnet server causes connected clients to enter an infinite loop when the server silently quits before disconnecting. This leads to excessive CPU consumption on affected devices. Systems running Contiki 3.0 with Telnet server enabled are vulnerable.

📋 TL;DR

This vulnerability in Contiki 3.0's Telnet server causes connected clients to enter an infinite loop when the server silently quits before disconnecting. This leads to excessive CPU consumption on affected devices. Systems running Contiki 3.0 with Telnet server enabled are vulnerable.

💻 Affected Systems

Products:

Contiki OS

Versions: 3.0

Operating Systems: Contiki OS

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems with Telnet server enabled. Contiki is commonly used in IoT/embedded devices.

📦 What is this software?

Contiki by Contiki Os

View all CVEs affecting Contiki →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Denial of service causing complete system unavailability due to CPU exhaustion, potentially affecting critical IoT/embedded systems.

🟠

Likely Case

Degraded performance and service disruption on affected devices, requiring manual intervention to restore functionality.

🟢

If Mitigated

Minimal impact if Telnet is disabled or proper monitoring detects abnormal CPU usage patterns.

🌐 Internet-Facing: HIGH - Telnet servers exposed to the internet are vulnerable to remote DoS attacks without authentication.

🏢 Internal Only: MEDIUM - Internal systems could still be affected by malicious or accidental triggering.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires network access to Telnet port (typically 23). No authentication needed to trigger the condition.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Contiki 3.x with fix from GitHub issue #2688

Vendor Advisory: https://github.com/contiki-os/contiki/issues/2688

Restart Required: Yes

Instructions:

1. Update Contiki OS to version with fix from GitHub issue #2688. 2. Recompile and redeploy affected firmware. 3. Restart devices with updated firmware.

🔧 Temporary Workarounds

Disable Telnet Server

all

Disable the Telnet server functionality in Contiki configuration

Modify project-conf.h to disable TELNETD: #define TELNETD 0

Network Segmentation

linux

Restrict access to Telnet port (23) using firewall rules

iptables -A INPUT -p tcp --dport 23 -j DROP

🧯 If You Can't Patch

Implement network monitoring for abnormal CPU usage patterns on Contiki devices
Deploy rate limiting or connection limits to Telnet service

🔍 How to Verify

Check if Vulnerable:

Check if running Contiki 3.0 with Telnet server enabled. Test by connecting to Telnet port and monitoring client behavior when server terminates unexpectedly.

Check Version:

Check Contiki version in source code or firmware metadata

Verify Fix Applied:

After patching, test Telnet connections and verify clients disconnect properly when server terminates.

📡 Detection & Monitoring

Log Indicators:

High CPU usage logs from Contiki devices
Telnet connection anomalies
Process hanging indicators

Network Indicators:

Multiple stalled Telnet connections
Unusual traffic patterns to port 23

SIEM Query:

source="contiki" AND (cpu_usage>90 OR process="telnetd")

📊 Metadata

CVE ID: CVE-2021-38387

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-835

Published: August 10, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/contiki-os/contiki/issues/2688 Third Party Advisory
https://github.com/contiki-os/contiki/issues/2688 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-38387, you might also want to check these: